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f^ : , Abstract 

C ) , An efficient algorithm for computing lower bounds on the global linear 

complexity of nonlinearly filtered PN-sequences is presented. The tech- 
fi ' nique here developed is based exclusively on the realization of bit wise 

logic operations, which makes it appropriate for both software simulation 
and hardware implementation. The present algorithm can be applied to 
any arbitrary nonlinear function with a unique term of maximum order. 
Thus, the extent of its application for different types of filter generators is 
quite broad. Furthermore, emphasis is on the large lower bounds obtained 

f*— j , that confirm the exponential growth of the global linear complexity for 

f*^ ■ the class of nonlinearly filtered sequences. 
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2 ■ 1 Introduction 
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Many procedures in modern communication systems require binary sequences 
which appear to be random but, in fact, have been generated in a deterministic 
S^ ■ way. They are the so-called pseudorandom sequences. In cryptographic appli- 

^ ' cations the sequence obtained in such a way is referred to as the keystream. 

To provide secure encryption the keystream must verify several properties of 
cryptographic nature such as: long periods, balanced statistics, mth-order cor- 
relation immunity, distance to linear functions, avalanche criterion... (for a 
more detailed survey see [9]). In addition a keystream generator has to be un- 
predictable: that is, given a portion of the output sequence, a cryptoanalyst 
should be unable to predict other bits forward or backward. A widely accepted 
measure of the unpredictability of a sequence is the linear complexity defined 
as the shortest linear recursion over GF(2) satisfied by such a sequence. 
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One of the most commonly used keystream generators is obtained by ap- 
plying a nonlinear function to the stages of a maximal-length Linear Feedback 
Shift Register (LFSR). This type of generator is called 'filter generator'. The 
linear complexity of the resulting keystream can be computed in two different 
ways: 

1.- Analysing the digits of the output sequence by means of the Berlekamp- 
Massey LFSR synthesis algorithm [6] . 

2.- Studying the nonlinear function applied to the LFSR's stages. 

Local linear complexity and global linear complexity are obtained in each 
case respectively The global linear complexity of the filter generators depends 
exclusively on the particular form of the filter and the LFSR's minimal poly- 
nomial. Generally speaking, there is no systematic method to predict the re- 
sulting global linear complexity. This is the reason why in the open literature 
statements like 'it is extremely difficult to lowerbound (or guarantee) the linear 
complexity of the sequences produced by nonlinearly filtering the state of an 
LFSR' [8, pp. 57] can be found. Nevertheless, some authors have faced this 
problem and several references can be quoted. Apart from the works of Groth 
[2] and Key [3], Kumar and Scholtz [5] derived a general lower bound for the 
class of bent sequences, although the LFSR's length is restricted to be a multiple 
of 4. Rueppel [8] established his root presence test for the product of distinct 
phases of a PN-sequence, which is based on the computation of determinants 
in a finite field. One of the most recent works on this subject, [7], has focussed 
on the use of the Discrete Fourier Transform Technique to analyse the global 
linear complexity. Most of the above mentioned works impose rather restric- 
tive conditions on the LFSR's length, the order of the nonlinear function or the 
particular form of the applied function. 

Based on the works [8] and [1], a new algorithm (the so-called LB-algorithm) 
is proposed for the computation of lower bounds on the global linear complexity. 
This algorithm can be applied to any arbitrary nonlinear filter with a unique 
term of maximum order. In fact, no restrictions are imposed on the LFSR's 
stages, the particular form of the filter or the LFSR's minimal polynomial. On 
the other hand, the most important feature of the LB-algorithm is that it is 
based exclusively on the realization of bit wise logic operations (OR, AND and 
XOR) , which makes it rather adequate to either software simulation or hardware 
implementation. 

As the algorithm INPUTS are L (LFSR's length) and k (order of the func- 
tion), then the lower bound obtained is valid for any kth-order function with a 
unique term of maximum order and for any LFSR of length L. 



2 Review of the Root Presence Test and new 
Definitions 

Some fundamental concepts and notation which are used in this work can be 
introduced as follows. 

S is the output sequence of an LFSR whose minimal polynomial m s (x) G 
GF(2)[x] is primitive. L is the length of the LFSR. a G GF(2 L ) is one root 
of m s (x) . fk denotes the unique maximum order term of a nonlinear kth-order 
function / applied to the LFSR's stages, fk = s n +t s n+ti ■ • • Sn+t fe _i where the 
symbols tj (j=0,l,...,k-l) are integers verifying < to < t\ < ■■■ < tk-i < 2 L — 1. 
In this work only the contribution of /& to the global linear complexity of the 
resulting sequence will be studied. 

The root presence test for the product of k distinct phases of a PN-sequence 
can be stated as follows, [8]: 

a E G GF(2 L ) is a root of the minimal polynomial of the generated sequence 
if and only if 
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Here a tj G GF(2 L ) (j=0,l,..,k-l) correspond respectively to the k phases 
(s n +t) of the PN-scquence. E, the representative element of the cyclotomic 
coset E, is a positive integer of the form E = 2 e ° + 2 ei + ■ ■ ■ + 2 ek - 1 with 
the ei (i=0,l,..., k-1) all different running in the interval [0,L). Under these 
conditions, a E and its conjugate roots contribute to the global linear complexity 
of the nonlinearly filtered sequence. The value of this contribution is equal to 
the number of elements in such a cyclotomic coset. 

The cyclotomic coset E is said to be degenerate if the corresponding determi- 
nant Ae equals zero. Otherwise the cyclotomic coset E will be nondegenerate. 

Notice that every cyclotomic coset E can be easily associated with the radix- 
2 form of the integer E. This fact quite naturally suggests the introduction of 
binary strings of length L and Hamming weight k. Indeed, the cyclotomic coset 
E can be equivalently characterized by: 

(i) the integer E of the form E = 2 e ° + 2 ei -\ h 2 ek ~ 1 . 

(ii) an L-bit string whose l's are placed at the positions {ei}i = o,i k—i- 

(iii) the determinant Ae as defined before. 

(iv) the homogeneous linear system (2.1) associated with Ae, 
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where dj e GF(2 L ) Vj. 

In the sequel these four characterizations will be used indistinctly. Regarding 
the use of the binary strings, some additional notation is necessary. 

Let E = 2 e ° + 2 ei H h 2 e "- 1 and F = 2*° + 2* 1 -\ h 2^~ l be two 

L-bit strings of weight k and 1 respectively with k<l. E C F means that 
{ej}»=o,i,...,fc-i C {/»}i=o,i,...,i-i' That is, all the l's in E are also in F. 

For a set of L-bit strings {E n } = {Ei,E 2 , ..., E N }, OR[{E n }] denotes the 
L-bit string resulting from a bit wise OR among the L-bit strings of the set. 
Obviously, we have that Vn G {1, 2, ..., N}, E n C OR[{E n }}. 

Finally, we quote the following definitions and results related to the global 
linear complexity of a function with a unique term of maximum order, [1]. 

A cyclotomic coset is called a fixed- distance coset if it has an element Ed of 

the formed = 2 e °+2 e H |-2 e *- 1 , with e z =d-i (mod L)Mi e {0, 1, ..., k- 1} 

and d being a positive integer less than L such that (d,L)=l. Its name is 
due to the fixed distance d among the positions of the l's in the L-bit string 
representation of Ed- 

The 1 placed at the position Bj will be called the jth-1 of the L-bit string 
associated with the coset Ed- 
Theorem 1 

/ is a kth-order function if and only if all the fixed-distance coscts are non- 
degenerate. 

Corollary 1 

The global linear complexity A of the sequence produced by / is lower- 
bounded by A > Nl • L, where Nl — — ^ (&(L) being the Euler function). 
Here Nl represents the number of fixed-distance cosets and L the number of 
elements in such cosets. 

Corollary 2 

If L is prime, then the global linear complexity A of the sequence generated 
by / is lowerbounded by A > ( 2 ) Remark that these results, which constitute 
the starting point of the present work, are independent of the LFSR, the order 
of f and the particular form of /. 

3 Theoretical Results 

Considering a general function / defined as before, the present work is concerned 
with the next simple idea: 

Not many degenerate cosets can exist simultaneously. 

A proof of this statement can be outlined in three different steps. First, the 
N cosets of a specific set are supposed to be simultaneously degenerate. Then, 
it is proved that only m of these cosets (with m < N) can be simultaneously de- 
generate. Consequently, (N-m) cosets contribute to the global linear complexity 
of the resulting sequence. 



This procedure can be expressed in a more formal way as follows. First of 
all, a new class of cosets is introduced. 

Given a fixed-distance cosct E d = 2 e °+2 e H \-2 ek ~ 1 andj e {0, 1, ..., fc-1}, 

we will call jth-quasi fixed- distance coset (for short jth-quasi f-d coset) to any 



cyclotomic coset whose representative element Fi is of the form Fi 
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2 Jl + • • • + 2 h - 1 such that {e;} i=0 ,i,..., fc -i C {/i}»=o,i,...,k-i i ¥"j- That is, 
a jth-quasi f-d coset F d is any cyclotomic coset whose L-bit string associated 
contains all the l's of the L-bit string associated with E4 except for the jth-1. 

{F d n } = {F 3 d .p ..., Fi N } is used to denote a set of jth-quasi f-d cosets. 

Lemma 1 

Let F d be any jth-quasi f-d coset, then A p i has at least a minor of order 
(k-1) (without the jth-row and an arbitrary ith-column) that does not equal 
zero: 
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Proof The determinants A f j and A£ d differ exclusively in the jth-row. 
Expanding both determinants along the jth-row, we can write A F j and Ae a in 

terms of the k minors of order (k-1) of the form (3.1). The fact that Ae a ^ 
(see Theorem 1) completes the proof. 

The following theorem is the theoretical basis of the LB-algorithm. 

Theorem 2 

Let Ed be any fixed-distance coset and j e {0,1,..., k — 1}. If for some 
set of jth-quasi f-d cosets {F dn } there exists at least a fixed-distance coset Ed' 

such that E d ' C OR[{F° d }], then the cosets of {F J d n } cannot be simultaneously 
degenerate. 

Proof We proceed by contradiction. We assume that the cosets of {F dn } 
are simultaneously degenerate. This simultaneous degeneration is equivalent to 
the existence of a set of homogeneous linear systems (associated with each deter- 
minant A F i ) with nontrivial solutions. All these systems have (k-1) equations 

in common. Furthermore, due to Lemma 1, the solutions of each system are at 
the same time the joint solutions to all the systems, therefore the compatibil- 
ity of the general system composed of all the different equations can be easily 
deduced. Finally, according to the starting hypothesis, the k equations associ- 
ated with the determinant A& are among the equations of the general system. 
This means that a compatible system has a non-compatible subsystem, which 
obviously is a contradiction. 



The LB-algorithm that is presented in the next section realizes the previous 
results by means of the handling of L-bit strings. 

4 The LB-Algorithm 

In this section, the LB-algorithm which computes a lower bound on the global 
linear complexity is presented in detail. The LB-algorithm is based on the 
previous theorems and corollaries. For every set of N quasi f-d cosets, the 
algorithm determines: 

(a) the maximum number m of cosets which can be simultaneously degen- 
erate. 

(b) the contribution to the global linear complexity of the (N-m) remaining 
cosets which are nondegenerate. 

The LB-algorithm converts the linear system (2.1) into an L-bit string ac- 
cording to the following simple rule: the presence of the ith-equation = 
doa t( ' 2 ' + d\a tl2 * + • • • + dk-\a tk - 12 % in the system implies a 1 in the L- 
bit string at the position indicated by ej. Note that, due to the particular form 
of the linear system, squaring the equations of the system (2.1) is equivalent to 
a left cyclic rotation in the L-bit string associated (Fig. 1). This fact will be 
used widely throughout the algorithm. 

4.1 Bit Wise Logic Operations 

The LB-algorithm realizes basically three bit wise logic operations AND, OR 
and exclusive-OR (denoted by XOR). An interpretation of each operation is 
presented in the following. 

Given two homogeneous linear systems and their corresponding binary strings, 
the AND operation between both strings gives rise to a new homogeneous linear 
system whose equations are common to both systems (Fig. 2a)). In the algo- 
rithm the logic operation AND will be used to check the presence of a particular 
subsystem inside a general system. 

The XOR operation of two L-bit strings associated with both linear systems 
of the form (2.1) gives rise to a new system whose equations belong exclusively 
to one of the previous linear systems (Fig. 2b)). In the following algorithm the 
logic operation XOR is used to check if a particular coset has been previously 
studied. 

Finally, the OR operation among several L-bit strings gives rise to a macrosys- 
tem which includes all the equations corresponding to the systems (Fig. 2c)). 
Throughout the algorithm this logic operation is used as a fundamental tool to 
check the basic idea of this work: the simultaneous degeneration of the quasi 
f-d cosets. 

It is clear that the LB-algorithm is based exclusively on the handling of L-bit 
strings instead of solving linear systems or computing determinants in a finite 



field. 

4.2 Notation 

The following notation is used throughout the LB-algorithm. 

FDC(i) (i=l,2,...,JVi) denotes the L-bit string corresponding to the ith-fixed- 
distance coset E^ ■ 

A is a lower bound on the global linear complexity. 

MASK(ij) (j=l,2,...,k-l) denotes the L-bit string obtained from FDC(i) by 
replacing the jth-1 by a 0. Remark that MASK(i,0) is a shifted version of 
MASK(i,k-l). 

C(i,j) denotes a set of L-bit strings associated with the jth-quasi f-d cosets 
{Fj }. Any L-bit string in C(i,j) previously considered must be eliminated. In 
order to detect them we operate every L-bit string in C(i,j) as follows: 

1. by means of AND operations with every FDC(i) (i=l,2,...,A^) to discover 
the fixed distance cosets 

2. by means of XOR operations with every previous MASK. Those cosets 
that produce a resulting string with a unique 1 must be eliminated from C(i,j) 
as they have been already analysed in previous sets {Fi }. 

m is a decreasing counter whose first value (denoted by M) is the number of 
L-bit strings in C(i,j) after eliminations. 

a(n) (n=l,2,...,( )) denotes each possible M-bit string of weight m. 

VOR denotes the string resulting from an OR operation among those m 
cosets of C(i,j) indicated by the positions of the l's in a(n). 

VL is a binary variable whose value depends on the AND operation between 
VOR and each FDC(i). 

4.3 Algorithm 

The LB-algorithm INPUTS are L (LFSR's length) and k (order of the function) 
with 2< k< L-2, and its OUTPUT is the lower bound of the global linear 
complexity A. 

Fig. 3 shows the LB-algorithm whose Steps 1 and 2 can be described as 
follows. 

Step 1 

Compute the Nl values of d. 

Generate the FDC(i) (i=l,2,...,A L ). 

Initialize the lower bound A = L ■ Nl. 

Step 2 

Generate MASK(Lj) (i=l,2,...,JV L ; j=l,2,...,k-l). 

Initialize the counter m=L-k. 

Generate the set C(i,j). 



Realize the AND between every FDC(l) (1=1,2,.. .,Nl) and every coset of 
C(i,j). If any result equals FDC(l), then the corresponding coset in C(i,j) is 
eliminated and m=m-l. 

Realize the XOR between every MASK(o,p) (o=l,2,...,i-l, p=l,2,...,k-l; o=i, 
p=l,2,...,j-l) and every coset of C(i,j). If any result has a unique 1, then the 
corresponding coset in C(i,j) is eliminated and m=m-l. 

4.4 Example 

Fig. 4 shows the results obtained from the LB-algorithm for L=ll and k=6. 

Since the LB-algorithm is independent of the specific function and minimal 
polynomial of the LFSR, the lower bound obtained is valid for any arbitrary 
nonlinear function with a unique term of maximum order 6 and for any maximal- 
length LFSR of length 11. 

If we had used the root presence test to obtain the same result, we would have 
had to compute (for each function of order 6 and each maximal-length LFSR 
of length 11) at least 22 determinants of order 6 in GF(2 11 ). This would have 
implied more than a million arithmetic operations in a finite held, [4] . According 
to the present algorithm, the numerical result obtained is independent of the 
function and the maximal-length LFSR. 

4.5 Discussion 

The main facts concerning the performance of the algorithm are summarized in 
this section. 

The LB-algorithm is divided into two stages. The first stage includes the 
generation and 'debugger' of the cosets to be analysed. The second stage is 
concerned with the simultaneous degenerations of the different sets of cosets. In 
the second stage a 'sweep' of some sets of cosets is carried out, which permits 
their use later on the algorithm. 

Regarding the required memory, note that only the L-bit strings MASK(ij) 
(but not the cosets C(i,j)) have to be stored. This means keeping one out of 
(L-k) cosets analysed. 

In order to handle the cosets of C(i,j), the more suitable structure of in- 
formation is a list. This structure seems also adequate to select, through the 
codification a(n) , the cosets involved in each OR operation. On the other hand, 
in order to generate the successive strings a(n), backtracking can be used. 

It can also be determined that the LB-algorithm has a maximum computa- 
tional complexity of order 0(2 L ~ k ), where L denotes the length of the LFSR and 
k is the order of the function. In order to estimate this value, it has been assumed 
the 'worst possible case', which involves a number of logic operations given by 
NL(k-l)[0 + (™_ l ) + r + ( M 2 )]= N L (k-l)(2 M -M)< N L (k-l)2 L -K 
However, from the experimental results it can be deduced that the running 
time of the LB-algorithm depends on the real number of bit wise operations 



among the different L-bit strings, which is much less. As an illustrative exam- 
ple we can say that for L=53 and k=27 the number of logic operations is only 
iV 53 (27 - !)[(!) + Q + Q + (f 2 ) + (11)} < N 53 ■ 26 • 2*. 

Furthermore the following three considerations must be taken into account. 
First, for each pair of values (L,k), the LB-algorithm has to be used only once. 
Second, it will be used only with relatively small inputs. And third, a high 
bound obtained for specific values of L and k will encourage the designer of 
running-key generators to use nonlinear filter with a unique term of maximum 
order k applied to any maximal-length LFSR of length L. 

The LB-algorithm has been implemented on a DEC work-station and several 
experiments over values of L primes have been carried out to evaluate it. The 
effect of this choice is twofold. On the one hand, it simplifies the computation 
of the Nl values of d in Step 1, and on the other hand, the more fixed-distance 
cosets there are the higher bounds the algorithm computes. 

The following table shows some experimental results. 



L 


11 


17 


23 


29 


37 


43 


47 


53 


k 


6 


9 


12 


15 


19 


22 


24 


27 


Bound 


242 


3128 


8349 


22330 


47952 


75852 


99405 


143206 



Table 1: Lower bounds on the global linear complexity 

According to the values shown, the LB-algorithm is believed to be quite 
efficient to lowerbound the global linear complexity of the filtered sequences. 
The growth of the bound observed can be approximated by the curve of Fig 5, 
which has been obtained through regression analysis for the linear model. This 
approximation let us estimate a bound above 500000 for L=89. 

In conclusion, the main result deduced from the LB-algorithm is reliability 
for the nonlinear filter. Thanks to it a designer of nonlinear filter generators 
could carry out the following steps: 

1.- Find values of L and k that produce a high lower bound, 

2.- Choose any nonlinear function of a smaller order than k, 

3.- Add it to any kth-ordcr product and 

4.- Apply the resulting nonlinear function to any maximal-length LFSR of 
length L. 

In this way the designer would obtain a sequence with a guaranteed large 
global linear complexity. 

5 Conclusions 

Our research has highlighted the problem of the global linear complexity of 
the nonlinear filter generators. In addition, a new algorithm, the so-called LB- 
algorithm, to lowerbound the global linear complexity has been presented. 

This proposal differs from existing schemes in different aspects. Firstly, 
unlike the well-known Berlckamp-Massey's algorithm [6], we do not consider 



the digits of the output sequence but the characteristics of the nonlinear filter. 
Secondly, the proposed algorithm indeed does not require any condition on 
the LFSR's stages involved, as do [5] and [7]. Therefore the obtained bounds 
are valid for any nonlinear function with a unique term of maximum order. 
Finally, this work is based on the handling of L-bit strings instead of computing 
determinants in a finite field (Rueppel's method, [8]), which seems to be much 
more adequate for software simulation and/or hardware implementation. 

Large lower bounds for the global linear complexity have been obtained 
from the LB-algorithm without imposing any restriction on the function or 
the polynomial. This fact ensures the reliability of the nonlinear state-filter 
generators for cryptographic application. 

This investigation has left as open problem the study of the remaining cosets 
that the LB-algorithm does not analyse. 
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